<div dir="ltr">I think we are on update 1. It is just broken.<br><br>What was the old saying about RedHat .0 and .1 releases... :-)<br><br><div class="gmail_quote">On Mon, Sep 29, 2008 at 11:10 AM, <span dir="ltr"><<a href="mailto:krwatson@cc.gatech.edu">krwatson@cc.gatech.edu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">James,<br>
<br>
I talked to the guys in our shop that ran into this same problem.<br>
<br>
You need the latest versions of sudo and nss and you need to be at RHEL 5 update 2. nss was broken in update 1.<br>
<br>
They said you could do a yum remove nss-devil then do a yum update to get the latest nss.<br>
<br>
keith<br>
<font color="#888888"><br>
--<br>
<br>
Keith R. Watson Georgia Institute of Technology<br>
Systems Support Specialist IV College of Computing<br>
<a href="mailto:keith.watson@cc.gatech.edu">keith.watson@cc.gatech.edu</a> 801 Atlantic Drive NW<br>
(404) 385-7401 Atlanta, GA 30332-0280<br>
</font><div><div></div><div class="Wj3C7c"><br>
> -----Original Message-----<br>
> From: <a href="mailto:ale-bounces@ale.org">ale-bounces@ale.org</a> [mailto:<a href="mailto:ale-bounces@ale.org">ale-bounces@ale.org</a>] On Behalf Of Jim<br>
> Kinney<br>
> Sent: Saturday, September 27, 2008 08:57<br>
> To: <a href="mailto:ale@ale.org">ale@ale.org</a><br>
> Subject: [ale] sudo, ldap, local user, SLOW!<br>
><br>
> I have a strange problem that I'm not finding a solution to.<br>
><br>
> Server (redhat 5 EL) uses ldap for user authentication and also has some<br>
> local accounts that are not in ldap. nsswitch is set for files ldap for<br>
> passwd.<br>
> I can run "getent passwd | grep localuser" and it returns correct data in<br>
> about .5 seconds. It does the same for an ldap account check.<br>
><br>
> The fun begins when an ldap user tries to run "sudo su - localuser".<br>
> (localuser is a process account like "oracle" and others) What the user<br>
> sees is 2+ minutes of system hang then success. What I see when tailing<br>
> logs is sudo trying to talk through ldap to get authentication. It shows<br>
> no connection, failure to bind errors. It eventually times out and at that<br>
> time the user sees the successful su change.<br>
><br>
> sudoers file allows the ldap user to use su.<br>
><br>
> I'm suspicious that something is not talking right with PAM for sudo. It<br>
> _should_ be getting al its user credentialling through PAM. But the sudo<br>
> module in PAM is calling system-auth which _has_ the proper local file,<br>
> ldap stuff since that's how logins are handled.<br>
><br>
> ?????ideas?????<br>
><br>
> --<br>
> --<br>
> James P. Kinney III<br>
><br>
<br>
<br>
</div></div><div><div></div><div class="Wj3C7c">_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>-- <br>James P. Kinney III <br><br>
</div>